cmake: decouple FORTIFY_SOURCE check from Debug build type #30824

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:decouple_fortify_debug_mode changing 1 files +10 −7
  1. fanquake commented at 3:36 pm on September 5, 2024: member

    FORTIFY_SOURCE should be used if ENABLE_HARDENING=ON and optimisations are being used. This should not be coupled to any particular build type, because even if the build type is Debug, optimisations might still be in use.

    Fixes: #30800. Also somewhat of a followup to #30778 (review).

  2. cmake: decouple FORTIFY_SOURCE check from Debug build type
    `FORTIFY_SOURCE` should be used if `ENABLE_HARDENING=ON` and optimisations
    are being used. This should not be coupled to any particular build type,
    because even if the build type is `Debug`, optimisations might still
    be in use.
    
    Fixes: #30800.
    30803a35d5
  3. DrahtBot commented at 3:36 pm on September 5, 2024: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK ryanofsky, TheCharlatan

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot added the label Build system on Sep 5, 2024
  5. fanquake commented at 3:36 pm on September 5, 2024: member
    Not sure about the inline source formatting. cc @hebasto.
  6. in CMakeLists.txt:489 in 30803a35d5
    484+    # _FORTIFY_SOURCE requires that there is some level of optimization,
    485+    # otherwise it does nothing and just creates a compiler warning.
    486     try_append_cxx_flags("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
    487       RESULT_VAR cxx_supports_fortify_source
    488+      SOURCE "int main() {
    489+              # if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0
    


    hebasto commented at 3:40 pm on September 5, 2024:
    Could you provide a few links that confirm this code checks the source fortification feature?

    fanquake commented at 3:42 pm on September 5, 2024:
    This just checks that optimisations are in use, which is when we want to use it, using the same approach as glibc: https://github.com/bminor/glibc/blob/4945ffc88a8ad49280bae64165683ddfd12b2390/include/features.h#L421.

    fanquake commented at 3:45 pm on September 5, 2024:
    i.e The new code should be performing the same tests as master, except that, rather than outsourcing the check for optimisations to a test of whether or not the build mode is Debug, it tests if optimisations are being used directly.

    ryanofsky commented at 5:01 pm on September 5, 2024:

    The check above reminds me of the part of the XZ backdoor where the attacker inserted a single . character to disable a linux security feature in a similar cmake check:

    https://git.tukaani.org/?p=xz.git;a=blobdiff;f=CMakeLists.txt;h=d2b1af7ab0ab759b6805ced3dff2555e2a4b3f8e;hp=76700591059711e3a4da5b45cf58474dac4e12a7;hb=328c52da8a2bbb81307644efdb58db2c422d9ba7;hpb=eb8ad59e9bab32a8d655796afd39597ea6dcc64d

    So I think it might be useful to add a sanity check to confirm that cxx_supports_fortify_source is actually true in release builds:

    0if(NOT cxx_supports_fortify_source AND CMAKE_BUILD_TYPE MATCHES "Release")
    1    message(FATAL_ERROR "Error: Current release build flags are incompatible with fortify_source")
    2endif()
    

    Separately, one theoretical drawback of this new implementation is it probably disables fortify source unconditionally in multi-configuration cmake backends like visual studio and xcode, whereas the previous $<$<NOT:$<CONFIG:Debug>>: generator expression was more flexible and it could enable fortify source in release configurations while disabling it in debug configurations. But I think this doesn’t matter in practice because source fortification is a GNU feature which presumably doesn’t work in visual studio or xcode anyway.


    fanquake commented at 5:10 pm on September 5, 2024:

    I am certainly open to additional approaches in regards to the (potential fragility) of inline source.

    So I think it might be useful to add a sanity check to confirm that cxx_supports_fortify_source is actually true in release builds:

    I have a PR to try and do this in #27038.


    ryanofsky commented at 5:13 pm on September 5, 2024:

    I have a PR to try and do this in #27038.

    Nice that seems potentially more reliable than suggested sanity check


    maflcko commented at 10:14 am on September 9, 2024:
    Wouldn’t it be simpler to upgrade the warning to an error with -Werror=cpp? This should avoid the need for any C++ source code?

    fanquake commented at 10:20 am on September 9, 2024:
    Can you elaborate? The issue is that one of the warnings is something we don’t want to turn into an error, otherwise the check will fail incorrectly. See: #30800 (comment).

    maflcko commented at 10:35 am on September 9, 2024:
    Ah right, I missed that this requires GCC 12, or later. It could make sense to first detect that (https://github.com/bitcoin/bitcoin/pull/27027#issuecomment-1460007675), however I am not sure if this is worth it, given that GCC11 support may be dropped at some point in the future.

    fanquake commented at 10:44 am on September 9, 2024:
    Yea, I’m not sure that making this logic more complicated is worth it, to suppress (harmless) warnings, given that hardening also continues to work for GCC 11 & FORTIFY=3 (2).
  7. ryanofsky approved
  8. ryanofsky commented at 5:14 pm on September 5, 2024: contributor
    Code review ACK 30803a35d54acda19ded88474c205f8954fea5e1
  9. TheCharlatan approved
  10. TheCharlatan commented at 10:04 am on September 9, 2024: contributor

    ACK 30803a35d54acda19ded88474c205f8954fea5e1

    Tested by adding -DAPPEND_CXXFLAGS="-O0" to the build configuration.

  11. fanquake merged this on Sep 9, 2024
  12. fanquake closed this on Sep 9, 2024

  13. fanquake deleted the branch on Sep 9, 2024

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-26 15:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me